Attackers may use the recycle bin to hide malware by moving or deleting malicious files, leveraging the persistence of deleted files in this location. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware persistence and exfiltration tactics that evade traditional detection methods.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~('cmd.exe','ftp.exe','schtasks.exe','powershell.exe','rundll32.exe','regsvr32.exe','msiexec.exe')
| where ProcessCommandLine contains ":\\recycler"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
id: 5fa993a8-b9cd-419b-b67a-b783bf7dadbb
name: Malware_In_recyclebin
description: |
Finding attackers hiding malware in the recycle bin.
Read more here: https://azure.microsoft.com/blog/how-azure-security-center-helps-reveal-a-cyberattack/.
Tags: #execution #SuspiciousPath.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~('cmd.exe','ftp.exe','schtasks.exe','powershell.exe','rundll32.exe','regsvr32.exe','msiexec.exe')
| where ProcessCommandLine contains ":\\recycler"
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessFileName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: User deletes a legitimate file using the Recycle Bin
Description: A user accidentally or intentionally deletes a legitimate file (e.g., notepad.exe) using the Recycle Bin.
Filter/Exclusion: Exclude files that are known system files or user-installed applications by checking the file path against a whitelist or using the file_name field to filter out common benign files.
Scenario: Scheduled cleanup task moves files to the Recycle Bin
Description: A system or application cleanup task (e.g., CCleaner, Disk Cleanup, or a custom script) moves temporary or obsolete files to the Recycle Bin.
Filter/Exclusion: Exclude events where the process is a known cleanup tool or a system service (e.g., Cleanup.exe, DiskCleanup.exe) using the process_name field.
Scenario: Administrator performs a bulk file deletion using the Recycle Bin
Description: An administrator deletes multiple files (e.g., old logs or temporary files) using the Recycle Bin as part of routine maintenance.
Filter/Exclusion: Exclude files that are part of a known administrative task by checking the user_principal_name or process_name against a list of trusted admin tools or users.
Scenario: Antivirus or endpoint protection moves quarantined files to the Recycle Bin
Description: An endpoint protection tool (e.g., Microsoft Defender, Bitdefender, Kaspersky) moves quarantined files to the Recycle Bin as part of its cleanup process.
Filter/Exclusion: Exclude files associated with known antivirus tools by checking the process_name or file_hash against a list of trusted security software.
Scenario: User moves files to the Recycle Bin for archival purposes
Description: A user moves files (e.g